LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-29-2010, 10:41 AM   #1
Since1995
LQ Newbie
 
Registered: Sep 2008
Posts: 8

Rep: Reputation: 0
Post Blocking users who are not defined in DNS record


Aloha friends!!

In our organization we use Static IP addressing scheme(Some departments have DHCP which is not related to this thread). We use Squid as proxy.

We assign each machine its IP address and make entry in our TinyDNS database, and provide those details to users, which they manually enter in their config and then access the network. We assign different range of IPs to different departments. This we consider as the "proper way" for our organization.

But we have found that lot many users are simply guessing some IPs and using them without having any entry in our DNS record. Though this works for some, most of the time we end up having IP conflicts and disorganization in our organizational allocation policy.

So, my question is, How do I block the specific IPs whose entry is not explicitly defined in our DNS record. In other word if the IP 192.168.20.15(lets say he is jack.ourorganization.com) is defined in our DNS, we should allow access... where as if IP 192.168.20.16(this does not translate to any user as it is not defined in our DNS) is not defined in our DNS we should not allow it access to our network.

I hope my friends here will be able to guide me. Thanks in advance.
 
Old 07-29-2010, 11:46 AM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
What you really need to be doing is monitoring this on your subnets. If not at the managed switch level, look into the arpwatch program. It is extremely handy for this purpose.

By default, OpenSSH enables a feature (the sshd_config directive is UseDNS) that will warn you when a forward and reverse DNS lookup does not match for a client. If you've not created a DNS rec for a particular IP, this should fire off a warning to your logs, and you can deal with it at that time.

Additionally, tcp wrappers (controlled using /etc/hosts.allow) provides a PARANOID wildcard that can allow you to act on sshd clients whose DNS/rDNS recs don't match up.

Still, if someone grabs an IP address that is registered with your DNS, this doesn't help you. Again, the answer is to start monitoring your subnets and more forcefully addressing the root cause of the problem.
 
Old 07-29-2010, 11:54 AM   #3
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,299

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
I don't know if you will, if they are on the one network. If anyone is half determined, he can surely get around what you can do. dns resolves do dotted decimal, that's why blocking dotted decimal is a tricky approach. You could lose them for a while going to ipv6 in octal :-D. Can you split the thing up into departments, subnets, or levels and control access that way?
 
Old 08-03-2010, 03:40 AM   #4
wertum
Member
 
Registered: Jul 2010
Location: usa
Distribution: ubuntu
Posts: 39

Rep: Reputation: 16
squid
 
Old 08-05-2010, 05:55 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by wertum View Post
squid
Please do not make single word or line posts without explaining yourself in this forum, especially since the OP already indicated using Squid.
 
Old 01-30-2011, 09:50 AM   #6
Since1995
LQ Newbie
 
Registered: Sep 2008
Posts: 8

Original Poster
Rep: Reputation: 0
This is what I'm gonna do.

Block all local IPs in Squid and selectively allow only the registered IPs. Already compiled a database{Phew}.


** We have UPSes, Biometric access devices, IP Cam, Instruments, Fire alarm(?) etc which may not be registered in our DNS. So need to be careful before blocking them.
 
Old 02-03-2011, 07:42 AM   #7
damade
LQ Newbie
 
Registered: Feb 2011
Distribution: Red hat, Solaris, AIX, HP-UX, FreeBSD
Posts: 15

Rep: Reputation: 2
I think you should try with this acl type

acl aclname srcdom_regex [-i] \.foo\.com ...
# regex matching client name [slow]


example:

acl good_ones srcdom_regex \.yourdomain\.com

later:
http_access deny !good_ones


hope works for you
salu2
damade

pd: if users changing your ip is a problem for your company, why dont you look to "arp inspection" feature on your switches.

Last edited by damade; 02-03-2011 at 08:12 AM. Reason: add a pd:
 
1 members found this post helpful.
  


Reply

Tags
dns


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MX Record IN DNS mosharaf_linux Linux - Server 1 01-28-2010 04:36 AM
Reverse DNS: Why is the record on the datacenter DNS server instead? Swakoo Linux - Networking 2 09-20-2007 04:42 AM
Non blocking DNS lookup bzlaskar Linux - Server 4 04-10-2007 08:53 AM
DNS Website blocking Last Attacker Linux - Networking 3 10-29-2006 01:09 AM
where is PATH defined for all users? true_atlantis Linux - Newbie 7 09-02-2005 10:33 AM


All times are GMT -5. The time now is 04:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration